Security Center

Another Voter Database Exposed Online

2017-09-14

By Security Center

The Kromtech Security Center has discovered a misconfigured database that contained info for 593,328 US citizens (Alaska voters) and it was exposed to the public Internet due to the misconfiguration of CouchDB instance.

Records appeared to be a part of the VoterBase, one of the markets leading national voter file, containing the contact and voting information of over 191 million voters, and 58 million unregistered, voting age consumers, compiled and provided by TargetSmart, a leading provider of political data and technology.

Shortly after we received the report with the initial results on that breach and a few samples for verification, database has been independently secured. In order to clarify more details as of who was behind the leak and for how long files for more than half a million US citizens been online, I have reached out to TargetSmart.

TargetSmart CEO, Tom Bonier, was very helpful and responsive and after quick investigation provided us with a statement:

STATEMENT BY TARGETSMART

Weve learned that Equals3, an AI software company based in Minnesota, appears to have failed to secure some of their data and some data they license from TargetSmart, and that a database of approximately 593,000 Alaska voters appears to have been inadvertently exposed, but not accessed by anyone other than the security researchers on our team and the team that identified the exposure. None of the exposed TargetSmart data included any personally-identifiable non-public financial data. And to be clear, TargetSmarts database and systems are secure and have not been breached. TargetSmart imposes strict contractual obligations on its clients regarding how TargetSmart data must be stored and secured, and takes these obligations seriously.

Equals3 has confirmed that the file was never accessed by anyone other than the security researcher who brought the exposure to our attention, and our team as they investigated the exposure. Equals3 assures us that although the data was left exposed for a time, it has since been taken offline and secured.

We are thankful to the Kromtech security researchers for raising this issue with us.

How The Breach Happened?

It appears that a misconfigured CouchDB instance is once again the culprit. When the database was configured, administrators bypassed important security settings that were set to “public” instead of “private”, allowing anyone with an internet connection to gain access the repository. Those who follow cybersecurity news may remember that in early 2017 an estimated 10% of CouchDB servers were victims of ransomware because of the same misconfiguration.

In this case CouchDB was misconfigured in a way when there is no password/login required to access the data (as well as some others non-SQL databases (e.g. MongoDB). In simple words - administrators often skip or disable security settings in order to ease access to the database internally or remotely. By default, database is secured. Moreover, Couch also has web-interface which allows viewing and editing the information even in browser, without extra special software.

What Next?

Few people will deny that the 2016 election has done much more than divide voters along ideological lines, it also exposed how cyber security and elections are something we all must focus on moving forward. This discovery and data leak is yet another black eye to the political organizations who have a long string of voter data breaches.

The spotlight on the most recent US elections shows just how insecure the entire American election system really is. More than ever before technology plays a bigger role in how candidates and campaigns reach out to voters. For the voting process to be fair and honest it requires identifying voters and verifying their information before they cast their ballots. It seems that more and more state, federal and local officials rely on technology to store or access voter records and this puts voter data at risk to being leaked or hacked.

Currently there is no Federal Agency enforcing voter data records and states have a tangled web of rules and laws. How can American voters feel safe and secure while exercising their democratic right of voting when it feels like every few months there is a new data leak exposing their personal information? With each new exposure it raises more questions about the data protection and privacy of American voters. The Russian cyber attacks on state voter databases and their interference in the presidential election is a wakeup call for more security measures to protect the entire infrastructure. Lets be honest it is hard to feel confident that your voter data has not already been leaked publicly with just how many leaks have occurred in the last few years. When it comes to sensitive data private corporations and political campaigns have an obligation to take the most basic cyber security measures, but time and time again we have seen them leak data despite numerous warnings.

Alex Kernishniuk, VP of strategic alliances, Kromtech:

There seems to be no end in sight for improperly secured data making its way onto the web and with little or no accountability for proper storage and security measures it is up to regulators to decide the best way to manage an aging electoral system that seems to be struggling to keep up with the digital age. This is yet another wakeup call for companies, governments, and political organizations to audit their networks, servers and storage devices and ensure they take the proper security precautions.

Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.